Comment by rdl
12 years ago
And if a security bug did pop up, I'd sure rather bet on Duo, Authy, etc. fixing their app quickly than Google doing so, given that I don't think anyone is actually on the Authenticator team. I'm sure someone within Google would consider it a high priority to fix, but it wouldn't be as easy for them to quickly address something.
What kind of security bug? The only thing the program should need is a secure place to store the tokens - which I expect is provided by Android, no? - and to read the time from the system. It shouldn't be exposed to anything else.
Some theoretical bug. It happens, even in simple stuff.
More likely would be e.g. a platform finally getting a halfway decent way to store secrets (which iOS got with the 3GS and even better with iOS 5/6/7), and which Android as a whole still lacks (specific manufacturers are adding it, like Samsung, but it's not a standard due to Google being insane). I don't see a zombie client rapidly adopting those new storage technologies.